Account plugins should be made confinable by apparmor

Bug #1219644 reported by Alberto Mardegan
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical Click Reviewers tools (obsolete)
Fix Released
Medium
Jamie Strandboge
Online Accounts setup for Ubuntu Touch
Fix Released
Medium
Alberto Mardegan
Ubuntu Developer Portal
Confirmed
High
Unassigned
apparmor-easyprof-ubuntu (Ubuntu)
Fix Released
Medium
Jamie Strandboge
ubuntu-system-settings-online-accounts (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

With the current implementation, the QML files for account plugins are executed by the Online Accounts QML applet which in turn is executed within the System Settings process, which probably means that malicious account plugins could control everything that the System Settings process can (like entering/exiting the flight mode).

Account plugins (or the Online Accounts applet itself) should probably be run in a separate process, which could then be assigned a stricter confinement with apparmor.

Related branches

David Barth (dbarth)
Changed in ubuntu-system-settings-online-accounts:
assignee: nobody → Alberto Mardegan (mardy)
importance: High → Medium
Alberto Mardegan (mardy)
Changed in ubuntu-system-settings-online-accounts:
status: Confirmed → In Progress
Revision history for this message
Alberto Mardegan (mardy) wrote :

The attached branch is a WIP with the changes on the Online Accounts part.

I added the apparmor-easyprof-ubuntu project to the bug because I think we'll need some changes there:

- There should be a way to specify an apparmor policy file for an account plugin, in the manifest file. This policy will typically contain the "accounts" policy, and then often also the "networking" and "webview" policies; but I'd rather let the developer explicitly declare all of the needed policies.

- The account plugin should have access to a unix socket: /run/user/<user-id>/online-accounts-ui/ui-<random-number>
  This is probably not really necessary with the current WIP code, since we call aa_change_profile() after connecting to that socket; we'll understand this better when we can test the whole thing.

- The account plugin should be able to send method calls on this D-Bus service (on the session bus):
  service=com.google.code.AccountsSSO.Accounts.Manager
  path=/com/google/code/AccountsSSO/Accounts/Manager
  interface=com.google.code.AccountsSSO.Accounts.Manager
  (the service then will itself check the apparmor label of the peer and decide whether to process the request or not)

Changed in apparmor-easyprof-ubuntu (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Medium
status: New → Confirmed
Changed in click-reviewers-tools:
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
tags: added: application-confinement
Revision history for this message
Alberto Mardegan (mardy) wrote :

I'll update the bug with comments as I find new apparmor rules being required.
So, this is also required:

  owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw,

Revision history for this message
Alberto Mardegan (mardy) wrote :

I can create an evernote account with these rules:

  owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw,
  owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
  dbus (send)
       bus=session
       path="/com/google/code/AccountsSSO/Accounts/Manager"
       interface="com.google.code.AccountsSSO.Accounts.Manager"
       member="store"
       peer=(name=com.google.code.AccountsSSO.Accounts.Manager,label=unconfined),

Revision history for this message
Alberto Mardegan (mardy) wrote :

Latest version:

  owner /{,var/}run/user/*/online-accounts-ui/ui-*-@{APP_PKGNAME}_@{APP_APPNAME} rw,
  owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw,
  owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
  dbus (send)
       bus=session
       path="/com/google/code/AccountsSSO/Accounts/Manager"
       interface="com.google.code.AccountsSSO.Accounts.Manager"
       member="store"
       peer=(name=com.google.code.AccountsSSO.Accounts.Manager,label=unconfined),

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-system-settings-online-accounts - 0.6+15.04.20150116-0ubuntu1

---------------
ubuntu-system-settings-online-accounts (0.6+15.04.20150116-0ubuntu1) vivid; urgency=medium

  [ Alberto Mardegan ]
  * New upstream release
    - Make sure app items are not overlaid on top of each other (LP: #1384314)
    - Remove snap decision fallback
    - Make account plugins confinable (LP: #1219644)

  [ Ubuntu daily release ]
  * New rebuild forced
 -- Ubuntu daily release <email address hidden> Fri, 16 Jan 2015 17:18:06 +0000

Changed in ubuntu-system-settings-online-accounts (Ubuntu):
status: New → Fix Released
Alberto Mardegan (mardy)
Changed in ubuntu-system-settings-online-accounts:
status: In Progress → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The approach to take is to create an 'ubuntu-account-plugin' template. Mardy, do you have an example click I could use to test exactly what is needed?

Revision history for this message
Alberto Mardegan (mardy) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I started playing with this and have a few observations:
* the account plugin is trying to access /proc/<pid>/attr/current - should this be explicitly denied to silence the denial?
* the account plugin is trying to create /home/phablet/.cache/online-accounts-ui/ -- this should be created on the account plugin's behalf
* this account plugin seems to want the audio policy group. this isn't a problem, it just wasn't mentioned before

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Also, something isn't honoring and/or setting TMPDIR, since I'm seeing denials like this:
Feb 3 21:32:09 ubuntu-phablet kernel: [ 5292.570730] type=1400 audit(1422999129.043:411): apparmor="DENIED" operation="mknod" profile="com.ubuntu.reminders_evernote-account-plugin_0.5.latest" name="/tmp/etilqs_Ka88o35o73fdKe8" pid=9590 comm="BrowserBlocking" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Using this for the evernote-account-plugin.apparmor:
{
    "template": "ubuntu-account-plugin",
    "policy_groups": [
        "accounts",
        "audio",
        "networking",
        "webview"
    ],
    "policy_version": 1.2
}

with apparmor-easyprof-ubuntu 1.3.4 (pending upload), I can successfully create an account under confinement. The reminders app itself is unable to use the account (I can start it, but it never leaves the splash screen). There are some denials:
...
Feb 3 21:37:50 ubuntu-phablet kernel: [ 5634.484968] type=1400 audit(1422999470.948:429): apparmor="DENIED" operation="mknod" profile="com.ubuntu.reminders_evernote-account-plugin_0.5.latest" name="/tmp/etilqs_R5PWXVRkWjQcVBC" pid=10898 comm="BrowserBlocking" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.3.4

---------------
apparmor-easyprof-ubuntu (1.3.4) vivid; urgency=medium

  [ Alberto Mardegan ]
  * ubuntu/accounts: explictly deny access to the p2p socket. This will now be
    available only to unconfined apps to support a trusted socket for
    privileged processes (LP: #1415492)

  [ Jamie Strandboge ]
  * add ubuntu/1.2/ubuntu-account-plugin template and add to 1.3 policy
    (LP: #1219644)
  * adjust expected_templates_12 in autopkgtests to have ubuntu-account-plugin
  * ubuntu/webview: allow /sys/devices/system/cpu/*/cpufreq/cpuinfo_max_freq
    readonly access
 -- Jamie Strandboge <email address hidden> Tue, 03 Feb 2015 16:24:15 -0600

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Alberto Mardegan (mardy) wrote : Re: [Bug 1219644] Re: Account plugins should be made confinable by apparmor

On 02/03/2015 11:28 PM, Jamie Strandboge wrote:
> I started playing with this and have a few observations:
> * the account plugin is trying to access /proc/<pid>/attr/current - should this be explicitly denied to silence the denial?

No, I think that this happens because the account plugin code is calling
aa_gettaskcon(), but when creating the account the PID should actually
be the one from the account plugin itself, since it's the one making the
request.
I'll modify the plugin not to call aa_gettaskcon() if the PID to check
is == getpid().

> * the account plugin is trying to create /home/phablet/.cache/online-accounts-ui/ -- this should be created on the account plugin's behalf

Indeed, I'll make sure that this is created before the plugin is executed.

> * this account plugin seems to want the audio policy group. this isn't a problem, it just wasn't mentioned before

I saw some weird denials, but it was working anyway. Good that you found
what it was :-)

About the last denial,

  Feb 3 21:32:09 ubuntu-phablet kernel: [ 5292.570730] type=1400
audit(1422999129.043:411): apparmor="DENIED" operation="mknod"
profile="com.ubuntu.reminders_evernote-account-plugin_0.5.latest"
name="/tmp/etilqs_Ka88o35o73fdKe8" pid=9590 comm="BrowserBlocking"
requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

I have no idea what this is; I guess it might be coming from oxide?

Changed in ubuntu-system-settings-online-accounts:
status: Fix Released → Confirmed
Changed in ubuntu-system-settings-online-accounts (Ubuntu):
status: Fix Released → Confirmed
Revision history for this message
Alberto Mardegan (mardy) wrote :

Reopening for ubuntu-system-settings-online-accounts, since we have still some work to do.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Regarding the /tmp access-- I'm guessing that TMPDIR is not being set by the process launching the confined plugin. It can be set to one of the writable directories in the 1.3.4 policy; I suggest /run/user/$USER/online-accounts-ui/@{APP_PKGNAME}_@{APP_APPNAME}/ since it is in /run and will be cleaned on reboot. If you pick this, I'll adjust the policy.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-system-settings-online-accounts - 0.6+15.04.20150319-0ubuntu1

---------------
ubuntu-system-settings-online-accounts (0.6+15.04.20150319-0ubuntu1) vivid; urgency=medium

  [ Alberto Mardegan ]
  * Merge from upstream
    - Add account data as search keywords (LP: #1373279)
    - Delete accounts when their plugin is removed (LP: #1413542)
    - More fixes for plugin confinement (LP: #1219644)
    - Fail initialization if trust session cannot be setup (LP: #1420847)

  [ CI Train Bot ]
  * Resync trunk
  * Resync trunk
  * Resync trunk
  * Resync trunk
 -- CI Train Bot <email address hidden> Thu, 19 Mar 2015 10:52:45 +0000

Changed in ubuntu-system-settings-online-accounts (Ubuntu):
status: Confirmed → Fix Released
Alberto Mardegan (mardy)
Changed in ubuntu-system-settings-online-accounts:
status: Confirmed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

>> * the account plugin is trying to create /home/phablet/.cache/online-accounts-ui/ -- this should be created on the account plugin's behalf

> Indeed, I'll make sure that this is created before the plugin is executed.

This is still not fixed:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor="DENIED" operation="mkdir" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/home/phablet/.cache/QML/Apps/online-accounts-ui/" pid=15145 comm="QQmlThread" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Also, why is it trying to create /home/phablet/.cache/QML/Apps/online-accounts-ui/? We agreed it should be using @{HOME}/.cache/online-accounts-ui/ which is what the apparmor policy allows (ie, QML/Apps is inserted in the path and this isn't allowed by the profile).

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Also, if I allow this access in the profile, then the next denial is:
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor="DENIED" operation="mknod" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073" pid=17998 comm="QQmlThread" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

The rules we agreed we would allow for this is:
  owner /{,var/}run/user/*/online-accounts-ui/ui-*-@{APP_PKGNAME}_@{APP_APPNAME} rw,
  owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw,
  owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,

This is on:
$ system-image-cli -i
current build number: 169
device name: mako
channel: ubuntu-touch/rc-proposed/ubuntu
last update: 2015-06-21 17:39:00
version version: 169
version ubuntu: 20150621
version device: 20150210
version custom: 20150621

Changed in click-reviewers-tools:
status: Confirmed → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

These latest issues are now being tracked in bug #1468792.

Changed in click-reviewers-tools:
status: In Progress → Fix Released
Changed in developer-ubuntu-com:
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Daniel Holbach (dholbach) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.